RCE flaw in Windows DHCP client fixed in this update

The January 2019 Patch Tuesday cycle includes a fix for a Remote Code Execution flaw in the Windows DHCP client on Windows 10 version 1803, and Microsoft says you should patch as soon as possible.

The patch is bundled into Windows 10 cumulative update KB4480966, which is only available for version 1803 (April 2018 Update), as this is the only Windows release that’s affected by the flaw.

The vulnerability is detailed by Microsoft in CVE-2019-0547 where the company explains that there is no known exploit right now.

“A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client. An attacker who successfully exploited the vulnerability could run arbitrary code on the client machine,” it says.

“To exploit the vulnerability, an attacker could send a specially crafted DHCP responses to a client. The security update addresses the vulnerability by correcting how Windows DHCP clients handle certain DHCP responses.”

Known issues

Nate Warfield of the MSRC team says the bug was discovered internally and no proof of concept would be released, though you are strongly recommended to install the update as soon as possible.

What’s important to know is that this cumulative update comes with four known issues, and you should have them all in mind when installing it (scroll down to the end of the article to read them in full).

One of the newest affects third-party applications, which according to Microsoft may not be able to authenticate hotspots after installing the update. A fix is already being developed and a resolution is expected in mid-January.

We aren’t aware of any known issues right now, but there’s a chance KB4480966 installs correctly, and given the security vulnerability described here, you should install it as soon as possible.

Microsoft is working on a resolution and will provide an update in an upcoming release.

After installing this update, some users cannot pin a web link on the Startmenu or the taskbar.

Microsoft is working on a resolution and will provide an update in an upcoming release.

After installing KB4467682, the cluster service may fail to start with the error “2245 (NERR_PasswordTooShort)” if the Group Policy “Minimum Password Length” is configured with greater than 14 characters.

Set the domain default "Minimum Password Length" policy to less than or equal to 14 characters.Microsoft is working on a resolution and will provide an update in an upcoming release.

After installing this update, third-party applications may have difficulty authenticating hotspots.

Microsoft is working on a resolution and estimates a solution will be available mid-January.